US Executive Order 14028, issued in May 2021, represents a huge step forwards. It aims to improve national cybersecurity and take action to increase transparency in software supply chains within the public sector. The challenge: it requires information that many companies have never collected.
Your expert for questions
Manager, Open Source Software Services at PwC Germany
Tel: +49 211 981-4786
The Linux Foundation’s established OpenChain industry standard on Open Source Software Compliance has become a vital standard, used all over the world. Because of this, it was upgraded to an official ISO standard – ISO 5230 – at the end of 2020. A Software Bill of Materials is also an essential element within this standard, and so the ISO adopted and standardised a widely used SBOM format in ISO 5962 in 2021.
Shortly afterwards, US Executive Order 14028 was introduced, requiring SBOMs to be provided to US Government agencies. In the past, many organisations have been reluctant to require SBOMs from their suppliers due to the complexity and adjustments involved in doing so. Executive Order 14028, on the other hand, is now spearheading the idea that SBOMs can be required by default – despite the fact that many organisations need to carry out a lot of work to achieve sufficient SBOM maturity and quality.
The review and delivery of SBOMs has been standard practice in certain industries for quite some time. Even before these new regulations were introduced, we at PwC had long recommended Bill of Materials Compliance Reviews for licences and component security when procuring products and services that include software. With increasing digitalisation, complexity, and use of Open Source Software, we expect to see other governments and industries adopting these requirements.
“SMEs in particular are often overwhelmed by the compliance requirements of a Software Bill of Materials, as they have no access to dedicated or trained personnel.”
It’s no coincidence that software supply chain security and vulnerabilities have recently become a hot topic: cyberattacks on software supply chains have increased considerably in recent years, and the issue has been getting a lot of attention in the media.
Recent examples have dramatically shown that even the smallest malicious element or exploit in a software component at any point in the supply chain can trigger security failures on a global scale. Events such as this could undermine overall trust in software and create concerns among downstream users.
An SBOM provides information giving detailed insights into the software supply chain, such as components used, licences, and information on authors. This provides transparency and makes it possible to identify potential vulnerabilities and legal risks.
Users of the software can utilise the SBOM as an efficient way of gaining insights into the software supply chain, in turn allowing users to find out about potential risks involved with using the software. The world of Open Source Software is highly dynamic. Therefore, it is essential to regularly re-evaluate any software in use because new security vulnerabilities and exploits may be discovered at any time. If an SBOM is available, most of this review process can be automated, enabling new risks to be identified and dealt with more quickly. This is one of the reasons why the NTIA has issued a set of minimum requirements for SBOM content.
Under these minimum requirements, the SBOM for each component must include information such as the name of the supplier, the name and version number of the component used, and its relationship to other components. The NTIA also recommends that SBOMs should be updated for each new release, a requirement which could easily lead to failure of non-automated solutions due to bottlenecks and lack of capacity.
The NTIA also emphasises that these requirements may be subject to change in the future as circumstances change. It is therefore recommended that licensing information and detailed depictions of the relationships to other software components should be included in long-term projects or for particularly security-sensitive contact points, even if this is not strictly necessary at present.
Currently, neither commercial products nor open-source software solutions routinely offer SBOMs that meet the NTIA’s minimum requirements. In most cases, explicit requests have to be made to obtain an SBOM.
In addition, Open Source products sometimes require work to be done by external service providers to meet compliance requirements, as Open Source communities do not always undertake work of this nature. Without an established process, SBOM compliance can quickly become a problem, as ad-hoc solutions are either very expensive or completely non-existent.
To future-proof your company, you need to take action now to ensure that you comply with current software supply chain regulations. An SBOM that meets all minimum requirements provides a solid foundation for compliance, vulnerability analysis and for dealing with legal issues regarding licences, increasing overall security of your systems.
If you need support with administering your SBOMs, PwC managed services are available to help you meet requirements without having to build up all the processes and resources for this internally.
Our Open Source Software Services experts can help you ensure compliance and agility, and support you in realising the benefits of Open Source. Certification by PwC enables you to finalise your Open Source Software Compliance programme, demonstrating to your customers that you comply with ISO 5230.
“Complete and correct Software Bills of Materials are a vital part of trusted software supply chains to enable compliance, security and transparency while reducing the work involved for everyone in the ecosystem.”